)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"aa2fa7cf573897b3dbfbfbb68db6bd5626083365","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Add fake_project_id middleware for noauth"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This adds a middleware for noauth that would inject a fake"},{"line_number":10,"context_line":"project_id for create requests. This would ensure that api"},{"line_number":11,"context_line":"consumers don\u0027t have to provide a fake project_id in requests."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Closes-Bug: #1934039"},{"line_number":14,"context_line":"Change-Id: I5e1de571034be41f1147c130fce66e6cf70b1369"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"5924be81_c01e033a","line":11,"range":{"start_line":10,"start_character":32,"end_line":11,"end_character":62},"updated":"2021-07-02 07:37:19.000000000","message":"+1, doing this here instead of requiring an update to all api user code for use with noauth would be a blessing.","commit_id":"f44796656c244055983b3504d83939f94dd198e8"}],"etc/api-paste.ini":[{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"ab999fee023a1b29c399f557d162280434d40888","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"[composite:neutronapi_v2_0]"},{"line_number":8,"context_line":"use \u003d call:neutron.auth:pipeline_factory"},{"line_number":9,"context_line":"noauth \u003d cors http_proxy_to_wsgi request_id fake_project_id catch_errors osprofiler extensions neutronapiapp_v2_0"},{"line_number":10,"context_line":"keystone \u003d cors http_proxy_to_wsgi request_id catch_errors osprofiler authtoken keystonecontext extensions neutronapiapp_v2_0"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"[composite:neutronversions_composite]"}],"source_content_type":"text/x-properties","patch_set":5,"id":"248c3e0d_dde80b74","line":9,"range":{"start_line":9,"start_character":44,"end_line":9,"end_character":60},"updated":"2021-07-05 14:53:47.000000000","message":"nit: \"fake_project_id\" and \"keystonecontext\" play the same role in these pipelines.\nHow about adding \"fake_project_id\" between \"osprofiler\" and \"extensions\".\nThe current one works but it would be more consistent.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"984b17d3dd06d81fa3e95a1c083c0328e57d611e","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"[composite:neutronapi_v2_0]"},{"line_number":8,"context_line":"use \u003d call:neutron.auth:pipeline_factory"},{"line_number":9,"context_line":"noauth \u003d cors http_proxy_to_wsgi request_id fake_project_id catch_errors osprofiler extensions neutronapiapp_v2_0"},{"line_number":10,"context_line":"keystone \u003d cors http_proxy_to_wsgi request_id catch_errors osprofiler authtoken keystonecontext extensions neutronapiapp_v2_0"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"[composite:neutronversions_composite]"}],"source_content_type":"text/x-properties","patch_set":5,"id":"e224039e_30e938c2","line":9,"range":{"start_line":9,"start_character":44,"end_line":9,"end_character":60},"in_reply_to":"248c3e0d_dde80b74","updated":"2021-07-05 19:48:18.000000000","message":"+1","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"}],"neutron/api/extensions.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"f2436b46ef270bbee51c16f90e5e01fb960a5228","unresolved":true,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"from keystoneauth1 import loading as ks_loading"},{"line_number":21,"context_line":"from neutron_lib.api import extensions as api_extensions"},{"line_number":22,"context_line":"from neutron_lib import context"},{"line_number":23,"context_line":"from neutron_lib import exceptions"},{"line_number":24,"context_line":"from neutron_lib.plugins import directory"},{"line_number":25,"context_line":"from openstack import connection"}],"source_content_type":"text/x-python","patch_set":1,"id":"d437ffa0_128fc2af","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":4},"updated":"2021-07-02 07:01:38.000000000","message":"Why this change?","commit_id":"26fc23ffb9bcab6b63b03d594f7f96afc8368ee7"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"c1b1dd4ff2aadde9fa65e7765f35f72728a0d078","unresolved":true,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"from keystoneauth1 import loading as ks_loading"},{"line_number":21,"context_line":"from neutron_lib.api import extensions as api_extensions"},{"line_number":22,"context_line":"from neutron_lib import context"},{"line_number":23,"context_line":"from neutron_lib import exceptions"},{"line_number":24,"context_line":"from neutron_lib.plugins import directory"},{"line_number":25,"context_line":"from openstack import connection"}],"source_content_type":"text/x-python","patch_set":1,"id":"dac2447e_05f78d16","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":4},"in_reply_to":"d437ffa0_128fc2af","updated":"2021-07-02 07:05:11.000000000","message":"just a leftover. fixed in PS2","commit_id":"26fc23ffb9bcab6b63b03d594f7f96afc8368ee7"}],"neutron/auth.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"f2436b46ef270bbee51c16f90e5e01fb960a5228","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    def __call__(self, req):"},{"line_number":46,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":47,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":48,"context_line":"            LOG.debug(\"X_PROJECT_ID is not found in request\")"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context..."}],"source_content_type":"text/x-python","patch_set":1,"id":"1cd327b4_dc5512c1","line":48,"range":{"start_line":48,"start_character":12,"end_line":48,"end_character":61},"updated":"2021-07-02 07:01:38.000000000","message":"If we use no_auth, that will happens in every call, right? This is going to fill out the logs.","commit_id":"26fc23ffb9bcab6b63b03d594f7f96afc8368ee7"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"c1b1dd4ff2aadde9fa65e7765f35f72728a0d078","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    def __call__(self, req):"},{"line_number":46,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":47,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":48,"context_line":"            LOG.debug(\"X_PROJECT_ID is not found in request\")"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context..."}],"source_content_type":"text/x-python","patch_set":1,"id":"c93fceb8_e5ef1c28","line":48,"range":{"start_line":48,"start_character":12,"end_line":48,"end_character":61},"in_reply_to":"1cd327b4_dc5512c1","updated":"2021-07-02 07:05:11.000000000","message":"Isn\u0027t that a debug message like in L33?","commit_id":"26fc23ffb9bcab6b63b03d594f7f96afc8368ee7"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"c123a71cf0283e7e0d1e98f8f71bc68e00c5db62","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    def __call__(self, req):"},{"line_number":46,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":47,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":48,"context_line":"            LOG.debug(\"X_PROJECT_ID is not found in request\")"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context..."}],"source_content_type":"text/x-python","patch_set":1,"id":"18846aab_6bcc1fb8","line":48,"range":{"start_line":48,"start_character":12,"end_line":48,"end_character":61},"in_reply_to":"c93fceb8_e5ef1c28","updated":"2021-07-02 07:25:45.000000000","message":"Yes but this is an exception, that should not happen. In this case, this debug message will be written in the log file every time you receive a POST command.","commit_id":"26fc23ffb9bcab6b63b03d594f7f96afc8368ee7"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"fcc24533b671271d4cfb40a028a52f9f980d9b94","unresolved":true,"context_lines":[{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            ctx.is_admin \u003d True"},{"line_number":52,"context_line":"            # Inject the context..."},{"line_number":53,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"6d4b6591_b066bb94","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":2},"updated":"2021-07-02 10:50:11.000000000","message":"I\u0027m not sure if you\u0027ll need something like [1]. Slawek or Akihiro will know this better for sure.\n\n[1]https://review.opendev.org/c/openstack/neutron-lib/+/781625/1/neutron_lib/context.py#128","commit_id":"6d3594baa541a8891f45f1d1e6539a8fa82c234b"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"61319d299d1d6036b6338a6e0089f6ace3f1e94d","unresolved":true,"context_lines":[{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            ctx.is_admin \u003d True"},{"line_number":52,"context_line":"            # Inject the context..."},{"line_number":53,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"b21f0c5a_a6c47bde","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":2},"in_reply_to":"6d4b6591_b066bb94","updated":"2021-07-02 11:04:46.000000000","message":"I\u0027ve added is_admin\u003dTrue for cases where request body has a project_id (backward compat) and the check[1] fails.\n\n\n[1] https://opendev.org/openstack/neutron-lib/src/branch/master/neutron_lib/api/attributes.py#L25-L33","commit_id":"6d3594baa541a8891f45f1d1e6539a8fa82c234b"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"bd04135dc0c3f5b23821c5f58604529f88f100a6","unresolved":true,"context_lines":[{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            ctx.is_admin \u003d True"},{"line_number":52,"context_line":"            # Inject the context..."},{"line_number":53,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"14e2bff9_78759ba8","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":2},"in_reply_to":"8a39f8fe_2a70c98b","updated":"2021-07-03 02:50:40.000000000","message":"Done. I thought we don\u0027t need the other things in elevated() with \u0027noauth\u0027.","commit_id":"6d3594baa541a8891f45f1d1e6539a8fa82c234b"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62a4b2d8a0f2c4ab33bb80ca886e585bc4f7c33f","unresolved":true,"context_lines":[{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            ctx.is_admin \u003d True"},{"line_number":52,"context_line":"            # Inject the context..."},{"line_number":53,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"8a39f8fe_2a70c98b","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":2},"in_reply_to":"b21f0c5a_a6c47bde","updated":"2021-07-02 19:37:47.000000000","message":"please use ctx.elevated() instead of setting is_admin\u003dTrue manually","commit_id":"6d3594baa541a8891f45f1d1e6539a8fa82c234b"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"650a110dd88d2fda38a13526999cdcc7d5d08cf0","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    @webob.dec.wsgify"},{"line_number":46,"context_line":"    def __call__(self, req):"},{"line_number":47,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"}],"source_content_type":"text/x-python","patch_set":5,"id":"e644c522_e90852c3","line":48,"range":{"start_line":48,"start_character":34,"end_line":48,"end_character":54},"updated":"2021-07-05 10:40:39.000000000","message":"Why do we need to limit this for POST method?\nIs there any problem if we always add project_id information to all methods?\nThe proposed code uses different context for POST and non-POST methods.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"ab999fee023a1b29c399f557d162280434d40888","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    @webob.dec.wsgify"},{"line_number":46,"context_line":"    def __call__(self, req):"},{"line_number":47,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"}],"source_content_type":"text/x-python","patch_set":5,"id":"a10ff204_96747d8b","line":48,"range":{"start_line":48,"start_character":34,"end_line":48,"end_character":54},"in_reply_to":"961f13f6_1b6001c0","updated":"2021-07-05 14:53:47.000000000","message":"\u003e Yes there is a problem as the projects that earlier used to pass project_id in request body with noauth and have different project_id would not be listed with \u0027GET\u0027 requests. Also, AFAICT project_id is only mandatory for \u0027POST\u0027 requests.\n\nI am not sure what \"have different project_id would not be listed with \u0027GET\u0027 requests.\n\" means. When using \u0027noauth\u0027 as auth_strategy, a context returned by get_admin_context() is used, so all resources from all projects will be listed with \u0027GET\u0027 requests ([1][2] depending on the API server implementation). I confirmed this behavior.\n\nBack to my original question, the minimum requirement from the current neutron code base is to populate the default project ID for \u0027POST\u0027 requests. For other types of requests, the proposed implementation uses get_admin_context().\nI can say it addresses the issue.\n\nI still have a question from the maintenance perspective.\nThis means that neutron uses the elevated context with a fake project ID for POST requests but the admin context without a project ID is used for other types of requests. Ideally it would be nice if we use a same type of context for all types of requests for simplicity.\nI would like to hear opinions from other reviewers (but I don\u0027t want to block thsi change only from this reason).\n\n[1] https://github.com/openstack/neutron/blob/master/neutron/pecan_wsgi/hooks/context.py#L26\n[2] https://github.com/openstack/neutron/blob/master/neutron/wsgi.py#L293-L294","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"ef22f9bcfb87ee7deaba7f501f7ec93e89c0e74f","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    @webob.dec.wsgify"},{"line_number":46,"context_line":"    def __call__(self, req):"},{"line_number":47,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"}],"source_content_type":"text/x-python","patch_set":5,"id":"b0337028_ae5d2406","line":48,"range":{"start_line":48,"start_character":34,"end_line":48,"end_character":54},"in_reply_to":"a10ff204_96747d8b","updated":"2021-07-05 15:57:05.000000000","message":"From what I understand, whether using admin context or not for noauth is irrelevant. We\u0027re using admin context to avoid  certain validations in api layer for context project_id to match with request body project_id when not using admin context.\n\nI had added that \u0027POST\u0027 check before I considered elevating the context, but I can remove it and in fact removed it in the next patchset.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"984b17d3dd06d81fa3e95a1c083c0328e57d611e","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    @webob.dec.wsgify"},{"line_number":46,"context_line":"    def __call__(self, req):"},{"line_number":47,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"}],"source_content_type":"text/x-python","patch_set":5,"id":"bd7fe933_21bc0cb6","line":48,"range":{"start_line":48,"start_character":34,"end_line":48,"end_character":54},"in_reply_to":"b0337028_ae5d2406","updated":"2021-07-05 19:48:18.000000000","message":"I think I agree with Akihiro - let\u0027s use elevated context with same project id for all calls. It should works like that too but I don\u0027t think that this \"if\" is really necessary here.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"d6ce4816b8ce1eb54e7f62e704d68b44b66c1376","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    @webob.dec.wsgify"},{"line_number":46,"context_line":"    def __call__(self, req):"},{"line_number":47,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"}],"source_content_type":"text/x-python","patch_set":5,"id":"25c1fee7_184e5248","line":48,"range":{"start_line":48,"start_character":34,"end_line":48,"end_character":54},"in_reply_to":"bd7fe933_21bc0cb6","updated":"2021-07-06 02:02:41.000000000","message":"yes it is redundant here, but if someone uses this middleware by mistake with keystone auth, this \u0027if\u0027 would  ensure that nothing would change.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"08c25fa0acdd35a4b7cb9fadaaf1c578af069cba","unresolved":true,"context_lines":[{"line_number":45,"context_line":"    @webob.dec.wsgify"},{"line_number":46,"context_line":"    def __call__(self, req):"},{"line_number":47,"context_line":"        ctx \u003d context.Context.from_environ(req.environ)"},{"line_number":48,"context_line":"        if not ctx.project_id and req.method \u003d\u003d \u0027POST\u0027:"},{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"}],"source_content_type":"text/x-python","patch_set":5,"id":"961f13f6_1b6001c0","line":48,"range":{"start_line":48,"start_character":34,"end_line":48,"end_character":54},"in_reply_to":"e644c522_e90852c3","updated":"2021-07-05 10:58:16.000000000","message":"Yes there is a problem as the projects that earlier used to pass project_id in request body  with noauth and have different project_id would not be listed with \u0027GET\u0027 requests. Also, AFAICT project_id is only mandatory for \u0027POST\u0027 requests.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"650a110dd88d2fda38a13526999cdcc7d5d08cf0","unresolved":true,"context_lines":[{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"},{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"2d8ef337_1daff679","line":52,"range":{"start_line":52,"start_character":45,"end_line":52,"end_character":59},"updated":"2021-07-05 10:40:39.000000000","message":"question: why do you need ctx.elavated() here? Isn\u0027t it enough to pass proejct_id, or do we need the elevated context explicitly? My question comes from the existing behavior when project_id is passed explicitly.\n\nI originally thought that it is perhaps enough if we populate HTTP_X_PROJECT_ID envvar before calling Context.from_envoron() at L.47, but it looks like that you see more than that.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"08c25fa0acdd35a4b7cb9fadaaf1c578af069cba","unresolved":true,"context_lines":[{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"},{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"92aab69a_5a51ee72","line":52,"range":{"start_line":52,"start_character":45,"end_line":52,"end_character":59},"in_reply_to":"2d8ef337_1daff679","updated":"2021-07-05 10:58:16.000000000","message":"I\u0027ve mentioned this in an earlier patchset. The issue is we check[1] for context project_id and request body project_id to match unless is_admin flag is true. This is for backward compatibility for cases where we pass project_id[2].\n\nAn admin can only create a resource for a different project.\n\n[1] https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L26-L31\n\n[2]https://github.com/openstack/neutron/blob/master/neutron/tests/fullstack/test_ports_rebind.py#L52-L55(This tests use noauth and pass tenant_id in create requests)","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"ab999fee023a1b29c399f557d162280434d40888","unresolved":true,"context_lines":[{"line_number":49,"context_line":"            # Inject project_id"},{"line_number":50,"context_line":"            ctx.project_id \u003d \u0027fake_project_id\u0027"},{"line_number":51,"context_line":"            # Inject the context with the admin flag set"},{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"e14a03ec_b2c4eef3","line":52,"range":{"start_line":52,"start_character":45,"end_line":52,"end_character":59},"in_reply_to":"92aab69a_5a51ee72","updated":"2021-07-05 14:53:47.000000000","message":"I understand the full context now as I mentioned in the above comment at L.48.\nPreviously we use get_admin_context() for all requests with noauth, so we need the same privilege for POST with project_id. I got it.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"650a110dd88d2fda38a13526999cdcc7d5d08cf0","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"def pipeline_factory(loader, global_conf, **local_conf):"},{"line_number":58,"context_line":"    \"\"\"Create a paste pipeline based on the \u0027auth_strategy\u0027 config option.\"\"\""}],"source_content_type":"text/x-python","patch_set":5,"id":"a9c507ce_9b95a49f","line":55,"updated":"2021-07-05 10:40:39.000000000","message":"This change always adds project_id when project_id is not passed in API requests.\nI wonder we need to do this based on a configuration option.\nWe don\u0027t know all existing use cases of this feature. If soemone always specifies project_id with noauth and they does not want to use the default project_id feature proposed here, what should they do?\nThe solution would be to disable this feature by dropping the middleware from \"noauth\" pipeline.\n\n--\n\nThe next question is what should be the default behavior.\nShould we keep the existing behavior and allow users to enable this feature as opt-in, or should we change the default behavior to a more convenient one?\n\nI am personally okay with either way.\n\nIf we go to the latter route, you need to cover this in the \"Upgrade Impact\" seciton in the release note and explain how to disable this feature there.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"ab999fee023a1b29c399f557d162280434d40888","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"def pipeline_factory(loader, global_conf, **local_conf):"},{"line_number":58,"context_line":"    \"\"\"Create a paste pipeline based on the \u0027auth_strategy\u0027 config option.\"\"\""}],"source_content_type":"text/x-python","patch_set":5,"id":"6b502026_443c8910","line":55,"in_reply_to":"67ff62d4_46aa0573","updated":"2021-07-05 14:53:47.000000000","message":"I see two aspects of backward compatibility.\nThe one is that users can still pass project_id and no behavior change happens as you mentioned.\nThe other is that no exception will be raised any more when no project_id is specified in a request body. This is what this commit is changing, so the change itself sounds good, but I am not sure someone depends on this behavior. Thus, I would suggest to cover it in the release note. Please check my comment in the release note.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"984b17d3dd06d81fa3e95a1c083c0328e57d611e","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"def pipeline_factory(loader, global_conf, **local_conf):"},{"line_number":58,"context_line":"    \"\"\"Create a paste pipeline based on the \u0027auth_strategy\u0027 config option.\"\"\""}],"source_content_type":"text/x-python","patch_set":5,"id":"80fac397_ec463d33","line":55,"in_reply_to":"6b502026_443c8910","updated":"2021-07-05 19:48:18.000000000","message":"IMHO this is configurable as operator can remove it from the noauth pipeline in api-paste.ini file","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"08c25fa0acdd35a4b7cb9fadaaf1c578af069cba","unresolved":true,"context_lines":[{"line_number":52,"context_line":"            req.environ[\u0027neutron.context\u0027] \u003d ctx.elevated()"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"        return self.application"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"def pipeline_factory(loader, global_conf, **local_conf):"},{"line_number":58,"context_line":"    \"\"\"Create a paste pipeline based on the \u0027auth_strategy\u0027 config option.\"\"\""}],"source_content_type":"text/x-python","patch_set":5,"id":"67ff62d4_46aa0573","line":55,"in_reply_to":"a9c507ce_9b95a49f","updated":"2021-07-05 10:58:16.000000000","message":"If the user passes a project_id in request body, the resource would be created with that project_id and it won\u0027t use the one in the context and is fully backward compatible.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"}],"releasenotes/notes/allow-noauth-work-without-project-id-f92fac5df37810f0.yaml":[{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"ab999fee023a1b29c399f557d162280434d40888","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - Removes the requirement for create requests to provide a fake"},{"line_number":4,"context_line":"    \u0027project_id\u0027 in request body when using \u0027noauth\u0027 auth strategy."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"279d3e07_c0ff72d1","line":4,"updated":"2021-07-05 14:53:47.000000000","message":"I would like to see some descritpion that fake_project_id is populated in a created resource. How about the following?\n\n When ``noauth`` auth_strategy is used, neutron no longer requires\n a resource creation request includes a dummy \u0027project_id\u0027 in request body.\n If no project_id is specified, the default project_id ``fake_project_id``\n will be populated automatically. It would make the use of ``noauth``\n auth_strategy simpler.\n If you prefer to the previous behavior, remove ``fake_request_id`` filter\n from ``noauth`` pipeline in ``api-paste.ini`` file.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"66fd814081cae56def3524a7bfbb39fd37093fb6","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - Removes the requirement for create requests to provide a fake"},{"line_number":4,"context_line":"    \u0027project_id\u0027 in request body when using \u0027noauth\u0027 auth strategy."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"7c1d702e_9924ffb9","line":4,"in_reply_to":"279d3e07_c0ff72d1","updated":"2021-07-05 15:22:46.000000000","message":"\u003e  If you prefer to the previous behavior, remove ``fake_request_id`` filter\n from ``noauth`` pipeline in ``api-paste.ini`` file.\n\nIt does not change the previous behavior in any way.","commit_id":"70856e829b7ccdd823b4b28953832d30082a2516"}]}